From: Chris Zakelj (c.zakeljieee.org)
Date: Wed Nov 03 2004 - 10:16:52 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Craig Skinner wrote:

> Chris Zakelj wrote:
>
> > And finally, I created a hole for ftp-proxy (line 29).
> >
> > pass in on $ext_if inet proto tcp from any to ($ext_if) port 20
> > user proxy keep state
>
> This raised my bushy eyebrows. I didn't think of that as:
>
> > client opens a local port > 1023 to server's port 21
> > server responds on same channel
> > client opens a local port > 1023 to server's port > 1023 as
negotiated in the previous step.

That is the process when using passive FTP. Active goes like this...
1. Client opens local >1023 to server 21
2. Server responds on same channel
3. Client opens local 20 to receive data from server >1023
The proxy program is there because unless you have an rdr pass in
pf.conf, that connection back won't get to the client. If you do have
an rdr pass, only the machine that the statement points to will work
with active ftp. So what the proxy does is watch which machines are
connecting to which servers, then acts as a sort of traffic cop to guide
the packets back to where they belong.

> > 2. This is an incredibly restrictive ruleset.
>
> Aye
>
> > Unless you've specifically named the service you're looking for,
> > it'll get blocked; if you try to do something like p2p, mmog, or
> > anything else beyond email, ssh, websurfing, ftp, and telnetting to
> > that dlink router, you'll be out of luck.
>
> What? You mean there's more? ;)

If you don't mind, I'd like to paste your original pf and my edited
version... more eyeballs could likely whack this problem quicker.

> > Let me know the results, we'll get this thing licked!
>
> We had a flood in the kitchen last night and its the wife's birthday
> today so I may be sloowww in getting back to this. Cheers.

Well happy birthday to the misses, and somewhere around here I'm sure
I've got a couple of sandbags and a bucket ;)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]